It’s surprising to some and shocking to many. Despite a rough phase that the US-based ride-hailing service has been passing through amidst allegations of sexual harassment, federal criminal probes, and trade secrets theft lawsuit, we did believe in the legitimacy of Uber as a service provider. However, Bloomberg has burst the bubble for Uber users. According to its report, Uber Technologies Inc. paid off $100,000 to hackers for hiding the massive data breach which exposed private details of around 75 million Uber accounts.
The breach occurred in October 2016, and for over a year, Uber managed to keep it a secret by paying hackers such a hefty sum. In the breach, sensitive personal records of Uber users including drivers and customers were stolen.
Joe Sullivan, Chief Security Officer at Uber, was responsible for the deal with hackers. It is worth noting that the company has fired Sullivan and a deputy of his. It is quite amusing that Uber’s ex-CEO and co-founder Travis Kalanick was unaware of the breach that happened during his tenure while the current CEO Dara Khosrowshahi learned about it only recently.
In response to Bloomberg’s report, Khosrowshahi stated in a press release that the incident is inexcusable: “None of this should have happened, and I will not make excuses for it,” said Khosrowshahi.
He further explained that two hackers accessed and downloaded files containing a considerable amount of information including names and license numbers of 600,000 drivers from the US and personal data such as names, email IDs and mobile phone numbers of 57 million Uber users from across the globe.
When the breach was identified, the company hired services of forensic experts to assess the extent of damage, and it was learned that financial information such as credit card numbers, social security numbers, and bank account details were not downloaded. However, this doesn’t mean that financial data was not accessed.
According to Bloomberg’s report, at the time when this data hack occurred, Uber was in talks with US regulators regarding the development of separate privacy violations and the case with the Federal Trade Commission over mishandling of customer data was only just settled. The company launched an internal investigation to analyze the activities of Sullivan’s security team, and this was when the hack and the subsequent cover-up were discovered.
The security practices implemented by Uber are quite doubtful since hackers obtained login credentials easily from Github left by Uber engineers carelessly. This is how hackers obtain access to an Amazon cloud computing server, where the data was stored. This is quite a reckless attitude from employees of such a sought-after and trusted service. Equally objectionable is the fact that such a huge amount of sensitive user data was stored casually in unencrypted form on a third-party service.
Now that the malpractice has become publicly known, Uber has hired an ex-general counsel from the NSA to revise its security practices while retaining the services of cyber-security firm Mandiant.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers,” said Uber’s CEO Khosrowshahi.
The company maintains that there is no evidence of fraud; therefore, users shouldn’t be worried while drivers whose license numbers got exposed will be offered identity theft protection and credit monitoring facility for free.
Github’s representative stated that the hack wasn’t caused by a security failure from Github.
Stephen Moore, Chief Security Strategist at Exabeam said Uber’s act of hiding data breach is not right whatsoever.
“Hiding a data breach is an interesting move, to say the least, but paying an adversary $100,000 in an attempt to cover up the problem is unconscionable. Underneath the headline shock-and-awe value of this breach, the root cause is ultimately the misuse of cloud credentials and the difficulty that companies face in detecting this misuse. Operationally, this cover-up will receive great interest from external audit and likely result in class action litigation,” Moore stated in an email.
Rich Campagna, CEO at Bitglass also criticized Uber for paying hacker just to hide its competency of protecting user data.
“Acquiring credentials to access sensitive data is increasingly easy and incredibly lucrative for today’s hackers. These hackers earned $100,000 without even selling any of the data. Static passwords, such as the one used to access Uber’s AWS account, simply cannot provide effective corporate protection anymore. Enterprises must follow best practices in authenticating users, starting with multi-factor authentication and a more proactive approach to identifying suspicious login locations,” said Campagna.